Juha Heinanen wrote:
Klaus Darilion writes:
> Today I found out that openser does not unescape the escaped characters
> when parsing the message. Thus, it is easy to bypass typical routing
> logic by escaping the digits, e.g.
>
> if (uri =~ "^sip:0900.*") {
> sl_send_reply("403","sex hotlines are not allowed");
> exit;
> }
>
> can be tricked by calling sip:%30900...
yes, if you accept % character in your r-uri to pstn.
> Shouldn't we unescape the message when parsing?
this has been discussed a few times before. i have suggested that we
should unescape characters at least in r-uri when request is received
and then escape them back when request is sent out.
I agree with you - the parameters which will be used for routing
(matching against regexp or simple if conditions) IMO MUST be unescaped
to avoid bypassing the check.
Bogdan, Daniel - what do you think?
regards
klaus
--
Klaus Darilion
nic.at
_______________________________________________
Devel mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/devel
